The ravings of a SANS/GIAC GSE (Compliance & Malware)
For more information on my role as a presenter and commentator on IT Security, Digital Forensics Statistics and Data Mining;
E-mail me: "craigswright @ acm.org".

Dr. Craig S Wright GSE

Followers

My Profile

Share it

What is happening

BooksI have a few books and another is on the way for 2012. Firstly, I have to plug the first in the Syngress Series of books on IT Audit. This is a comprehensive compliance hand governance handbook with EVERYTHING (from the high level to the hands on for the expert) to get you started in IT compliance and systems security. The main book is "IT REGULATORY AND STANDARDS COMPLIANCE HANDBOOK". This is the first in a series I have planned and more will follow in time. There will be electronic updates to this book over time to maintain it to a current level over time.

I will be working on co-authoring a book on CIP (Critical Infrastructure Protection) - but more on this later.

On top of this I recycle computers. To do this I take 1.5 to 2 year old corporate lease computers and refurbish them so that they can run the most current programs.

The question is - what do you do to help?

If you do not have the time, have you though about a donation?

This blog has been monetarised. This is where the money goes. By clicking and purchasing on this site, you help Burnside and Hackers for Charity. All monies earned here are split 50/50 between these two charities.

Who I am...or what...

Visitor locations

Tuesday, 5 February 2008

Civil LiabilityThe conduct of both agents and employees can result in situations where liability is imposed vicariously on an organisation through both the common law[i] and by statute.[ii] The benchmark used to test for vicarious liability for an employee requires that the deed of the employee must have been committed during the course and capacity of their employment under the doctrine respondeat superior. Principals’ liability will transpire when a `principal-agent' relationship exists. Dal Pont[iii] recognises three possible categories of agents:

(a) those that can create legal relations on behalf of a principal with a third party;(b) those that can affect legal relations on behalf of a principal with a third party; and(c) a person who has authority to act on behalf of a principal.

Despite the fact that a party is in an agency relationship, the principal is liable directly as principal as contrasting to vicariously, “this distinction has been treated as of little practical significance by the case law, being evident from judges' reference to principals as vicariously liable for their agents' acts”[iv]. The consequence being that an agency arrangement will leave the principle directly liable rather then liable vicariously.

The requirement for employees of "within the scope of employment" is a broad term without a definitive definition in the law, but whose principles have been set through case law and include:where an employer authorises an act but it is performed using an inappropriate or unauthorised approach, the employer shall remain liable[v];

the fact that an employee is not permitted to execute an action is not applicable or a defence[vi]; and the mere reality that a deed is illegal does not exclude it from the scope of employment[vii].Unauthorised access violations or computer fraud by an employee or agent would be deemed remote from the employee's scope of employment or the agent’s duty. This alone does not respectively absolve the employer or agent from the effects of vicarious liability[viii]. Similarly, it remains unnecessary to respond to a claim against an employer through asserting that the wrong committed by the employee was for their own benefit. This matter was authoritatively settled in the Lloyd v Grace, Smith and Co.[ix], in which a solicitor was held liable for the fraud of his clerk, albeit the fraud was exclusively for the clerk's individual advantage. It was declared that "the loss occasioned by the fault of a third person in such circumstances ought to fall upon the one of the two parties who clothed that third person as agent with the authority by which he was enabled to commit the fraud"[x]. Lloyd v Grace, Smith and Co.[xi] was also referred to by Dixon J in the leading Australian High Court case, Deatons Pty Ltd v Flew[xii]. The case concerned an assault by the appellant's barmaid who hurled a beer glass at a patron. Dixon J stated that a servant's deliberate unlawful act may invite liability for their master in situations where "they are acts to which the ostensible performance of his master's work gives occasion or which are committed under cover of the authority the servant is held out as possessing or of the position in which he is placed as a representative of his master"[xiii].

Through this authority, it is generally accepted that if an employee commits fraud or misuses a computer system to conduct an illicit action that results in damage being caused to a third party, the employer may be supposed liable for their conduct. In the case of the principles agent, the principle is deemed to be directly liable.

In the context of the Internet, the scope in which a party may be liable is wide indeed. A staff member or even a consultant (as an agent) who publishes prohibited or proscribed material on websites and blogs, changes systems or even data and attacks the site of another party and many other actions could leave an organisation liable. Stevenson Jordan Harrison v McDonnell Evans (1952)[xiv] provides an example of this type of action. This case hinged on whether the defendant (the employer) was able to be held liable under the principles of vicarious liability for the publication of assorted “trade secrets” by one of its employees which was an infringement of copyright. The employee did not work solely for the employer. Consequently, the question arose as to sufficiency of the “master-servant” affiliation between the parties for the conditions of be vicarious liability to be met. The issue in the conventional “control test” as to whether the employee was engaged under a “contract for services”, against a “contract of service” was substituted in these circumstances with a test of whether the tort-feasor was executing functions that were an “integral part of the business” or “merely ancillary to the business”. In the former circumstances, vicarious liability would extend to the employer. Similarly, a contract worker acting as web master for an organisation who loads trade protected material onto their own blog without authority is likely to leave the organisation they work for liable for their actions.

In Meridian Global Funds Management Asia Limited v Securities Commission[xv], a pair of employees of MGFMA acted without the knowledge of the company directors but within the extent of their authority and purchased shares with company funds. The issue lay on the qualification of whether the company knew, or should have known that it had purchased the shares. The Privy Council held that whether by virtue of the employees’ tangible or professed authority as an agent performing within their authority[xvi] or alternatively as employees performing in the course of their employment[xvii], both the actions, oversight and knowledge of the employees may well be ascribed to the company. Consequently, this can introduce the possibility of liability as joint tort-feasors in the instance where directors have, on their own behalf, also accepted a level of responsibility[xviii] meaning that if a director or officer is explicitly authorised to issue particular classes of representations for their company, and deceptively issues a representation of that class to another resulting in a loss, the company will be liable even if the particular representation was done in an inappropriate manner to achieve what was in effect authorised.

The degree of authority is an issue of fact and relies appreciably on more than the fact of employment providing the occasion for the employee to accomplish the fraud. Panorama Developments (Guildford) Limited v Fidelis Furnishing Fabrics Limited[xix] involved a company secretary deceitfully hiring vehicles for personal use without the managing director’s knowledge. As the company secretary will customarily authorise contracts for the company and would seem to have the perceptible authority to hire a vehicle, the company was held to be liable for the employee’s actions.

Criminal LiabilityEmployers can be held to be either directly or vicariously liable for the criminal behaviour of their employees.

Direct liability for organisations or companies refers to the class of liability that occurs when it permits the employee’s action. Lord Reid in Tesco Supermarkets Limited v Nattrass[xx] formulated that this transpires when someone is "not acting as a servant, representative, agent or delegate" of the company, but as "an embodiment of the company"[xxi]. When a company is involved in an action, this principle usually relates to the conduct of directors and company officers when those individuals are acting for or "as the company". Being that directors can assign their responsibilities, direct liability may encompass those employees who act under that delegated authority. The employer may be directly liable for the crime in cases where it may be demonstrated that a direct act or oversight of the company caused or accepted the employee’s perpetration of the crime.

Where the prosecution of the crime involves substantiation of mens rea[xxii], the company cannot be found to be vicariously liable for the act of an employee. The company may still be found vicariously liable for an offence committed by an employee if the offence does not need mens rea[xxiii] for its prosecution, or where either express or implied vicarious liability is produced as a consequence of statute. Strict liability offences are such actions. In strict liability offences and those that are established through statute to apply to companies, the conduct or mental state of an employee is ascribed to the company while it remains that the employee is performing within their authority.

The readiness on the part of courts to attribute criminal liability to a company for the actions of its employees seems to be escalating. This is demonstrated by the Privy Council decision of Meridian Global Funds Management Asia Ltd v Securities Commission[xxiv] mentioned above. This type of fraudulent activity is only expected to become simpler through the implementation of new technologies by companies. Further, the attribution of criminal liability to an organisation in this manner may broaden to include those actions of employees concerning the abuse of new technologies.

It is worth noting that both the Data Protection Act 1998[xxv] and the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000[xxvi] make it illegal to use equipment connected to a telecommunications network for the commission of an offence. The Protection of Children Act 1978[xxvii] and Criminal Justice Act 1988[xxviii] make it a criminal offence to distribute or possess scanned, digital or computer-generated facsimile photographs of a child under 16 that are indecent. Further, the Obscene Publications Act 1959[xxix] subjects all computer material making it a criminal offence to publish an article whose effect, taken as a whole, would tend to deprave and corrupt those likely to read, see or hear it. While these Acts do not of themselves create liability, they increase the penalties that a company can be exposed to if liable for the acts of an employee committing offences using the Internet.